Scoop’s Open Source Adserver

There has been a great deal of talk about the poor coding efforts of Wheedle.

NBR broke that story and found security holes in the site of another Trademe wannabe.

This post is about another woeful coding effort, this time from Scoop.co.nz. This has all the hallmarks of the infamous Labour Party screw up with their website but with a very real risk in this instance of someone placing malicious code within sites that are having ads served by Scoop.

To be extremely clear before I go into the story. I have not hacked or performed any hacking of Scoop or any other site. The aderver is completely open to the public and searchable via Google. 

I also shared my discovery with some media so as to protect myself from accusations of hacking. You simply do not need to perform any such illegal activity as Scoop has left the door wide open and the keys in the ignition.

I was searching on Google for some details about adservers for a project I am working on and stumbled upon something that is very concerning about the set up of Scoop’s adserver. For a start to you can google it. (Image of search).

Even basic protections like creating a disallow for the folder that contains the adserver in their robots.txt have not been perfomred. That is not security, rather it is obscurity that at the very least would have hidden the adserver from search results.

Once you find it however, then you have unfettered administrative rights to the entire adserver:

I was able to view their entire adserver setup:

Including settings for individual ads:

Access and edit live ads:

Control which sites they would appear on:

Create new campaigns:

Place new ads:

And ad code including iframe code that would allow me, or anyone else for that matter to place malicious code within sites that Scoop delivers ads to:

This line in their source calls code into an iframe:

<iframe id=”ad_50767E148AB1_SCSG” align=”center” src=”/xl?c=SCSG;iframeid=ad_50767E148AB1_SCSG” width=”988″height=”26″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ vspace=”0″ hspace=”0″ scrolling=”no”>

Because the content of that iframe is editable, anyone could inject their own malicious code to distribute malware etc. You could happily play havoc without them being any the wiser.

To prove my point I have placed ads on Scoop and on The Standard…ads they really wouldn’t want on there, but I could do it nonetheless, without any hacking.

On Scoop:

On The Standard:

This is very shoddy work from Scoop Media. If I had my advertising with them  I would be distinctly unhappy that they had potentially exposed my site to the risks of malicious code. If I was an advertiser I’d be more unhappy that all my campaign details are there for all to see.

One wonders what other security holes exist on Scoop’s website.


Do you want:

  • Ad-free access?
  • Access to our very popular daily crossword?
  • Access to daily sudoku?
  • Access to Incite Politics magazine articles?
  • Access to podcasts?
  • Access to political polls?

Our subscribers’ financial support is the reason why we have been able to offer our latest service; Audio blogs. 

Click Here  to support us and watch the number of services grow.

As much at home writing editorials as being the subject of them, Cam has won awards, including the Canon Media Award for his work on the Len Brown/Bevan Chuang story. When he’s not creating the news, he tends to be in it, with protagonists using the courts, media and social media to deliver financial as well as death threats.

They say that news is something that someone, somewhere, wants kept quiet. Cam Slater doesn’t do quiet and, as a result, he is a polarising, controversial but highly effective journalist who takes no prisoners.

He is fearless in his pursuit of a story.

Love him or loathe him, you can’t ignore him.

52%